MENU
      Using Metadata v2

        Using Metadata v2


        Article summary

        Available in VPC

        Overview

        You can use the calling method of Metadata v2 to compensate for the SSRF security vulnerability of Metadata v1.

        • Metadata v1 - request/response method
        • Metadata v2 - session-oriented method

        Depending on the configuration of the server instance, you can use both v1 and v2, or only use v2.

        Metadata v1 security vulnerability

        When operating a service or running software on a server instance that can use the Metadata v1 method, additional measures and precautions may be required to prevent exposure of meta data (server or role data).
        If there is an SSRF vulnerability in the running service and you are not aware of it, you can call the Metadata API of the server instance from the outside and acquire meta data.
        In order to block these security vulnerabilities, you must change the Metadata version setting of the server instance to only use v2.
        The Metadata v2 method can protect meta data exposure due to SSRF vulnerabilities by issuing tokens through the PUT method and performing token authentication for Metadata API calls.

        Set the Metadata version of the server instance

        After creating the server instance, you can only change settings through the console.

        1. Connect to server console [Services > Compute > Server]
        2. Select version through the [Server management and configuration change > Metadata API management] menu
        • v1 and v2
          • Both v1 and v2 versions are available.
          • Classification of v1 and v2 methods depending on whether or not the token header is passed when calling the Metadata API
          • Performs request without authentication process when token header is not entered
          • Performs request including authentication of the header value passed when token header is entered
        • v2 (token required)
          • Only v2 version available
          • Required input of token header value when calling Metadata API

        Examples

        • Header
          • X-NCP-METADATA-TOKEN-TTL-SECONDS: header to set session duration (seconds) when issuing tokens (1 to 21600 seconds)
          • X-NCP-METADATA-TOKEN: header to deliver token issued when calling Metadata API

        Separate command

        [roor@test-server ~]# TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-NCP-METADATA-TOKEN-TTL-SECONDS: 21600"`
        Shell
        [root@test-server ~]# curl -H "X-NCP-METADATA-TOKEN: $TOKEN" http://169.254.169.254/latest/meta-data
        Shell

        Combined command

        [root@test-server ~]# TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-NCP-METADATA-TOKEN-TTL-SECONDS: 21600"` \
        && curl -H "X-NCP-METADATA-TOKEN: $TOKEN" http://169.254.169.254/latest/meta-data
        Shell


        Note

        An error message may be stored in a variable if the token was not issued normally.
        Metadata API calls do not work properly in this case.

        Authentication error response

        [root@test-server ~]# curl -H "X-NCP-METADATA-TOKEN: wrong-token" -i http://169.254.169.254/latest/meta-data
        HTTP/1.1 401 401
        Date: Tue, 11 Apr 2023 02:42:02 GMT
        Server: Apache
        Referrer-Policy: unsafe-url
        Connection: close
        Transfer-Encoding: chunked
        Content-Type: text/plain;charset=UTF-8
        
        Unauthorized.
        [root@test-server ~]#
        Shell

        Was this article helpful?

        Changing your password will log you out immediately. Use the new password to log back in.
        First name must have atleast 2 characters. Numbers and special characters are not allowed.
        Last name must have atleast 1 characters. Numbers and special characters are not allowed.
        Enter a valid email
        Enter a valid password
        Your profile has been successfully updated.